The application parses download requests, which are added to the
download queue, but does not properly validate the length of the
complete download queue object when it?s removed from the queue by the
user. The following function from fdm.exe (source file:
Downloads_Deleted.cpp) is triggered on deletion:

void CDownloads_Deleted::UpdateDownload(int iItem)

This function reads the filename of the download object using
CDownloads_Tasks::GetFileName into szFile and adds the whole URL value
as a description (in brackets) via an insecure strcat() sequence to
szFile during the queue deletion process.

Since the application follows HTTP 301 redirects, an attacker who
controls the target HTTP server is able to send arbitrary long filename
values to exploit this flaw. If the complete name of the queued download
exceeds the size of szFile (10000 bytes), strcat() writes outside the
expected memory boundaries.

This leads to a stack-based buffer overflow with an overwritten SEH
chain or return points, resulting in remote code execution. Successful
exploits can allow remote attackers to execute arbitrary code with the
privileges of the user running the application. Failed exploits will
result in a denial-of-service condition.

This vulnerability is also exploitable locally via "File->Import->Import
list of downloads"